ESAs 2025 report on major ICT-related incidents

The European Supervisory Authorities (the European Banking Authority, the European Insurance and Occupational Pensions Authority and the European Securities and Markets Authority) have published their first annual report on major ICT-related incidents under the Digital Operational Resilience Act (DORA). The report covers 2025 and records 3,383 major incidents across all financial sectors. The ESAs emphasise that this figure does not indicate structural weakness as the direct impact on clients and transactions was generally limited.

The report also highlights that ICT risks are increasingly borderless, with around one third of incidents having a cross-border impact. System failures and external events were the main drivers. Nearly one third of incidents originated from third-party failures, with the ESAs highlighting the critical role of outsourced services and the need for robust third-party risk management and oversight. By contrast, the relatively low number of cybersecurity-related incidents suggested that existing safeguards and detection mechanisms were broadly effective. While the sector has demonstrated resilience to ICT-related threats, the ESAs stress that firms must maintain high cybersecurity standards, particularly to keep pace with the potential use of highly capable AI-driven tools.

Return to main website.